458 lines
18 KiB
Plaintext
458 lines
18 KiB
Plaintext
.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
|
|
.\"
|
|
.\" Standard preamble:
|
|
.\" ========================================================================
|
|
.de Sp \" Vertical space (when we can't use .PP)
|
|
.if t .sp .5v
|
|
.if n .sp
|
|
..
|
|
.de Vb \" Begin verbatim text
|
|
.ft CW
|
|
.nf
|
|
.ne \\$1
|
|
..
|
|
.de Ve \" End verbatim text
|
|
.ft R
|
|
.fi
|
|
..
|
|
.\" Set up some character translations and predefined strings. \*(-- will
|
|
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
|
|
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
|
|
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
|
|
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
|
|
.\" nothing in troff, for use with C<>.
|
|
.tr \(*W-
|
|
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
|
|
.ie n \{\
|
|
. ds -- \(*W-
|
|
. ds PI pi
|
|
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
|
|
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
|
|
. ds L" ""
|
|
. ds R" ""
|
|
. ds C` ""
|
|
. ds C' ""
|
|
'br\}
|
|
.el\{\
|
|
. ds -- \|\(em\|
|
|
. ds PI \(*p
|
|
. ds L" ``
|
|
. ds R" ''
|
|
. ds C`
|
|
. ds C'
|
|
'br\}
|
|
.\"
|
|
.\" Escape single quotes in literal strings from groff's Unicode transform.
|
|
.ie \n(.g .ds Aq \(aq
|
|
.el .ds Aq '
|
|
.\"
|
|
.\" If the F register is turned on, we'll generate index entries on stderr for
|
|
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
|
|
.\" entries marked with X<> in POD. Of course, you'll have to process the
|
|
.\" output yourself in some meaningful fashion.
|
|
.\"
|
|
.\" Avoid warning from groff about undefined register 'F'.
|
|
.de IX
|
|
..
|
|
.nr rF 0
|
|
.if \n(.g .if rF .nr rF 1
|
|
.if (\n(rF:(\n(.g==0)) \{
|
|
. if \nF \{
|
|
. de IX
|
|
. tm Index:\\$1\t\\n%\t"\\$2"
|
|
..
|
|
. if !\nF==2 \{
|
|
. nr % 0
|
|
. nr F 2
|
|
. \}
|
|
. \}
|
|
.\}
|
|
.rr rF
|
|
.\"
|
|
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
|
|
.\" Fear. Run. Save yourself. No user-serviceable parts.
|
|
. \" fudge factors for nroff and troff
|
|
.if n \{\
|
|
. ds #H 0
|
|
. ds #V .8m
|
|
. ds #F .3m
|
|
. ds #[ \f1
|
|
. ds #] \fP
|
|
.\}
|
|
.if t \{\
|
|
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
|
|
. ds #V .6m
|
|
. ds #F 0
|
|
. ds #[ \&
|
|
. ds #] \&
|
|
.\}
|
|
. \" simple accents for nroff and troff
|
|
.if n \{\
|
|
. ds ' \&
|
|
. ds ` \&
|
|
. ds ^ \&
|
|
. ds , \&
|
|
. ds ~ ~
|
|
. ds /
|
|
.\}
|
|
.if t \{\
|
|
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
|
|
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
|
|
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
|
|
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
|
|
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
|
|
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
|
|
.\}
|
|
. \" troff and (daisy-wheel) nroff accents
|
|
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
|
|
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
|
|
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
|
|
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
|
|
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
|
|
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
|
|
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
|
|
.ds ae a\h'-(\w'a'u*4/10)'e
|
|
.ds Ae A\h'-(\w'A'u*4/10)'E
|
|
. \" corrections for vroff
|
|
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
|
|
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
|
|
. \" for low resolution devices (crt and lpr)
|
|
.if \n(.H>23 .if \n(.V>19 \
|
|
\{\
|
|
. ds : e
|
|
. ds 8 ss
|
|
. ds o a
|
|
. ds d- d\h'-1'\(ga
|
|
. ds D- D\h'-1'\(hy
|
|
. ds th \o'bp'
|
|
. ds Th \o'LP'
|
|
. ds ae ae
|
|
. ds Ae AE
|
|
.\}
|
|
.rm #[ #] #H #V #F C
|
|
.\" ========================================================================
|
|
.\"
|
|
.IX Title "EVP_PKEY-DH 7ossl"
|
|
.TH EVP_PKEY-DH 7ossl "2024-01-30" "3.2.1" "OpenSSL"
|
|
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
|
|
.\" way too many mistakes in technical documents.
|
|
.if n .ad l
|
|
.nh
|
|
.SH "NAME"
|
|
EVP_PKEY\-DH, EVP_PKEY\-DHX, EVP_KEYMGMT\-DH, EVP_KEYMGMT\-DHX
|
|
\&\- EVP_PKEY DH and DHX keytype and algorithm support
|
|
.SH "DESCRIPTION"
|
|
.IX Header "DESCRIPTION"
|
|
For \fB\s-1DH\s0\fR \s-1FFC\s0 key agreement, two classes of domain parameters can be used:
|
|
\&\*(L"safe\*(R" domain parameters that are associated with approved named safe-prime
|
|
groups, and a class of \*(L"FIPS186\-type\*(R" domain parameters. FIPS186\-type domain
|
|
parameters should only be used for backward compatibility with existing
|
|
applications that cannot be upgraded to use the approved safe-prime groups.
|
|
.PP
|
|
See \s-1\fIEVP_PKEY\-FFC\s0\fR\|(7) for more information about \s-1FFC\s0 keys.
|
|
.PP
|
|
The \fB\s-1DH\s0\fR key type uses PKCS#3 format which saves \fIp\fR and \fIg\fR, but not the
|
|
\&\fIq\fR value.
|
|
The \fB\s-1DHX\s0\fR key type uses X9.42 format which saves the value of \fIq\fR and this
|
|
must be used for \s-1FIPS186\-4.\s0 If key validation is required, users should be aware
|
|
of the nuances associated with \s-1FIPS186\-4\s0 style parameters as discussed in
|
|
\&\*(L"\s-1DH\s0 key validation\*(R".
|
|
.SS "\s-1DH\s0 and \s-1DHX\s0 domain parameters"
|
|
.IX Subsection "DH and DHX domain parameters"
|
|
In addition to the common \s-1FCC\s0 parameters that all \s-1FFC\s0 keytypes should support
|
|
(see \*(L"\s-1FFC\s0 parameters\*(R" in \s-1\fIEVP_PKEY\-FFC\s0\fR\|(7)) the \fB\s-1DHX\s0\fR and \fB\s-1DH\s0\fR keytype
|
|
implementations support the following:
|
|
.ie n .IP """group"" (\fB\s-1OSSL_PKEY_PARAM_GROUP_NAME\s0\fR) <\s-1UTF8\s0 string>" 4
|
|
.el .IP "``group'' (\fB\s-1OSSL_PKEY_PARAM_GROUP_NAME\s0\fR) <\s-1UTF8\s0 string>" 4
|
|
.IX Item "group (OSSL_PKEY_PARAM_GROUP_NAME) <UTF8 string>"
|
|
Sets or gets a string that associates a \fB\s-1DH\s0\fR or \fB\s-1DHX\s0\fR named safe prime group
|
|
with known values for \fIp\fR, \fIq\fR and \fIg\fR.
|
|
.Sp
|
|
The following values can be used by the OpenSSL's default and \s-1FIPS\s0 providers:
|
|
\&\*(L"ffdhe2048\*(R", \*(L"ffdhe3072\*(R", \*(L"ffdhe4096\*(R", \*(L"ffdhe6144\*(R", \*(L"ffdhe8192\*(R",
|
|
\&\*(L"modp_2048\*(R", \*(L"modp_3072\*(R", \*(L"modp_4096\*(R", \*(L"modp_6144\*(R", \*(L"modp_8192\*(R".
|
|
.Sp
|
|
The following additional values can also be used by OpenSSL's default provider:
|
|
\&\*(L"modp_1536\*(R", \*(L"dh_1024_160\*(R", \*(L"dh_2048_224\*(R", \*(L"dh_2048_256\*(R".
|
|
.Sp
|
|
\&\s-1DH/DHX\s0 named groups can be easily validated since the parameters are well known.
|
|
For protocols that only transfer \fIp\fR and \fIg\fR the value of \fIq\fR can also be
|
|
retrieved.
|
|
.SS "\s-1DH\s0 and \s-1DHX\s0 additional parameters"
|
|
.IX Subsection "DH and DHX additional parameters"
|
|
.ie n .IP """encoded-pub-key"" (\fB\s-1OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\s0\fR) <octet string>" 4
|
|
.el .IP "``encoded-pub-key'' (\fB\s-1OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\s0\fR) <octet string>" 4
|
|
.IX Item "encoded-pub-key (OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY) <octet string>"
|
|
Used for getting and setting the encoding of the \s-1DH\s0 public key used in a key
|
|
exchange message for the \s-1TLS\s0 protocol.
|
|
See \fIEVP_PKEY_set1_encoded_public_key()\fR and \fIEVP_PKEY_get1_encoded_public_key()\fR.
|
|
.SS "\s-1DH\s0 additional domain parameters"
|
|
.IX Subsection "DH additional domain parameters"
|
|
.ie n .IP """safeprime-generator"" (\fB\s-1OSSL_PKEY_PARAM_DH_GENERATOR\s0\fR) <integer>" 4
|
|
.el .IP "``safeprime-generator'' (\fB\s-1OSSL_PKEY_PARAM_DH_GENERATOR\s0\fR) <integer>" 4
|
|
.IX Item "safeprime-generator (OSSL_PKEY_PARAM_DH_GENERATOR) <integer>"
|
|
Used for \s-1DH\s0 generation of safe primes using the old safe prime generator code.
|
|
The default value is 2.
|
|
It is recommended to use a named safe prime group instead, if domain parameter
|
|
validation is required.
|
|
.Sp
|
|
Randomly generated safe primes are not allowed by \s-1FIPS,\s0 so setting this value
|
|
for the OpenSSL \s-1FIPS\s0 provider will instead choose a named safe prime group
|
|
based on the size of \fIp\fR.
|
|
.SS "\s-1DH\s0 and \s-1DHX\s0 domain parameter / key generation parameters"
|
|
.IX Subsection "DH and DHX domain parameter / key generation parameters"
|
|
In addition to the common \s-1FFC\s0 key generation parameters that all \s-1FFC\s0 key types
|
|
should support (see \*(L"\s-1FFC\s0 key generation parameters\*(R" in \s-1\fIEVP_PKEY\-FFC\s0\fR\|(7)) the
|
|
\&\fB\s-1DH\s0\fR and \fB\s-1DHX\s0\fR keytype implementation supports the following:
|
|
.ie n .IP """type"" (\fB\s-1OSSL_PKEY_PARAM_FFC_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
|
|
.el .IP "``type'' (\fB\s-1OSSL_PKEY_PARAM_FFC_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
|
|
.IX Item "type (OSSL_PKEY_PARAM_FFC_TYPE) <UTF8 string>"
|
|
Sets the type of parameter generation. For \fB\s-1DH\s0\fR valid values are:
|
|
.RS 4
|
|
.ie n .IP """fips186_4""" 4
|
|
.el .IP "``fips186_4''" 4
|
|
.IX Item "fips186_4"
|
|
.PD 0
|
|
.ie n .IP """default""" 4
|
|
.el .IP "``default''" 4
|
|
.IX Item "default"
|
|
.ie n .IP """fips186_2""" 4
|
|
.el .IP "``fips186_2''" 4
|
|
.IX Item "fips186_2"
|
|
.PD
|
|
These are described in \*(L"\s-1FFC\s0 key generation parameters\*(R" in \s-1\fIEVP_PKEY\-FFC\s0\fR\|(7)
|
|
.ie n .IP """group""" 4
|
|
.el .IP "``group''" 4
|
|
.IX Item "group"
|
|
This specifies that a named safe prime name will be chosen using the \*(L"pbits\*(R"
|
|
type.
|
|
.ie n .IP """generator""" 4
|
|
.el .IP "``generator''" 4
|
|
.IX Item "generator"
|
|
A safe prime generator. See the \*(L"safeprime-generator\*(R" type above.
|
|
This is only valid for \fB\s-1DH\s0\fR keys.
|
|
.RE
|
|
.RS 4
|
|
.RE
|
|
.ie n .IP """pbits"" (\fB\s-1OSSL_PKEY_PARAM_FFC_PBITS\s0\fR) <unsigned integer>" 4
|
|
.el .IP "``pbits'' (\fB\s-1OSSL_PKEY_PARAM_FFC_PBITS\s0\fR) <unsigned integer>" 4
|
|
.IX Item "pbits (OSSL_PKEY_PARAM_FFC_PBITS) <unsigned integer>"
|
|
Sets the size (in bits) of the prime 'p'.
|
|
.Sp
|
|
For \*(L"fips186_4\*(R" this must be 2048.
|
|
For \*(L"fips186_2\*(R" this must be 1024.
|
|
For \*(L"group\*(R" this can be any one of 2048, 3072, 4096, 6144 or 8192.
|
|
.ie n .IP """priv_len"" (\fB\s-1OSSL_PKEY_PARAM_DH_PRIV_LEN\s0\fR) <integer>" 4
|
|
.el .IP "``priv_len'' (\fB\s-1OSSL_PKEY_PARAM_DH_PRIV_LEN\s0\fR) <integer>" 4
|
|
.IX Item "priv_len (OSSL_PKEY_PARAM_DH_PRIV_LEN) <integer>"
|
|
An optional value to set the maximum length of the generated private key.
|
|
The default value used if this is not set is the maximum value of
|
|
BN_num_bits(\fIq\fR)). The minimum value that this can be set to is 2 * s.
|
|
Where s is the security strength of the key which has values of
|
|
112, 128, 152, 176 and 200 for key sizes of 2048, 3072, 4096, 6144 and 8192.
|
|
.SS "\s-1DH\s0 key validation"
|
|
.IX Subsection "DH key validation"
|
|
For \fB\s-1DHX\s0\fR that is not a named group the \s-1FIPS186\-4\s0 standard specifies that the
|
|
values used for \s-1FFC\s0 parameter generation are also required for parameter
|
|
validation. This means that optional \s-1FFC\s0 domain parameter values for
|
|
\&\fIseed\fR, \fIpcounter\fR and \fIgindex\fR or \fIhindex\fR may need to be stored for
|
|
validation purposes.
|
|
For \fB\s-1DHX\s0\fR the \fIseed\fR and \fIpcounter\fR can be stored in \s-1ASN1\s0 data
|
|
(but the \fIgindex\fR or \fIhindex\fR cannot be stored). It is recommended to use a
|
|
named safe prime group instead.
|
|
.PP
|
|
For \s-1DH\s0 keys, \fIEVP_PKEY_param_check\fR\|(3) behaves in the following way:
|
|
The OpenSSL \s-1FIPS\s0 provider tests if the parameters are either an approved safe
|
|
prime group \s-1OR\s0 that the \s-1FFC\s0 parameters conform to \s-1FIPS186\-4\s0 as defined in
|
|
SP800\-56Ar3 \fIAssurances of Domain-Parameter Validity\fR.
|
|
The OpenSSL default provider uses simpler checks that allows there to be no \fIq\fR
|
|
value for backwards compatibility.
|
|
.PP
|
|
For \s-1DH\s0 keys, \fIEVP_PKEY_param_check_quick\fR\|(3) is equivalent to
|
|
\&\fIEVP_PKEY_param_check\fR\|(3).
|
|
.PP
|
|
For \s-1DH\s0 keys, \fIEVP_PKEY_public_check\fR\|(3) conforms to
|
|
SP800\-56Ar3 \fI\s-1FFC\s0 Full Public-Key Validation\fR.
|
|
.PP
|
|
For \s-1DH\s0 keys, \fIEVP_PKEY_public_check_quick\fR\|(3) conforms to
|
|
SP800\-56Ar3 \fI\s-1FFC\s0 Partial Public-Key Validation\fR when the
|
|
\&\s-1DH\s0 key is an approved named safe prime group, otherwise it is the same as
|
|
\&\fIEVP_PKEY_public_check\fR\|(3).
|
|
.PP
|
|
For \s-1DH\s0 Keys, \fIEVP_PKEY_private_check\fR\|(3) tests that the private key is in the
|
|
correct range according to SP800\-56Ar3. The OpenSSL \s-1FIPS\s0 provider requires the
|
|
value of \fIq\fR to be set (note that this is set for named safe prime groups).
|
|
For backwards compatibility the OpenSSL default provider only requires \fIp\fR to
|
|
be set.
|
|
.PP
|
|
For \s-1DH\s0 keys, \fIEVP_PKEY_pairwise_check\fR\|(3) conforms to
|
|
SP800\-56Ar3 \fIOwner Assurance of Pair-wise Consistency\fR.
|
|
.SH "EXAMPLES"
|
|
.IX Header "EXAMPLES"
|
|
An \fB\s-1EVP_PKEY\s0\fR context can be obtained by calling:
|
|
.PP
|
|
.Vb 1
|
|
\& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
|
|
.Ve
|
|
.PP
|
|
A \fB\s-1DH\s0\fR key can be generated with a named safe prime group by calling:
|
|
.PP
|
|
.Vb 4
|
|
\& int priv_len = 2 * 112;
|
|
\& OSSL_PARAM params[3];
|
|
\& EVP_PKEY *pkey = NULL;
|
|
\& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
|
|
\&
|
|
\& params[0] = OSSL_PARAM_construct_utf8_string("group", "ffdhe2048", 0);
|
|
\& /* "priv_len" is optional */
|
|
\& params[1] = OSSL_PARAM_construct_int("priv_len", &priv_len);
|
|
\& params[2] = OSSL_PARAM_construct_end();
|
|
\&
|
|
\& EVP_PKEY_keygen_init(pctx);
|
|
\& EVP_PKEY_CTX_set_params(pctx, params);
|
|
\& EVP_PKEY_generate(pctx, &pkey);
|
|
\& ...
|
|
\& EVP_PKEY_free(pkey);
|
|
\& EVP_PKEY_CTX_free(pctx);
|
|
.Ve
|
|
.PP
|
|
\&\fB\s-1DHX\s0\fR domain parameters can be generated according to \fB\s-1FIPS186\-4\s0\fR by calling:
|
|
.PP
|
|
.Vb 6
|
|
\& int gindex = 2;
|
|
\& unsigned int pbits = 2048;
|
|
\& unsigned int qbits = 256;
|
|
\& OSSL_PARAM params[6];
|
|
\& EVP_PKEY *param_key = NULL;
|
|
\& EVP_PKEY_CTX *pctx = NULL;
|
|
\&
|
|
\& pctx = EVP_PKEY_CTX_new_from_name(NULL, "DHX", NULL);
|
|
\& EVP_PKEY_paramgen_init(pctx);
|
|
\&
|
|
\& params[0] = OSSL_PARAM_construct_uint("pbits", &pbits);
|
|
\& params[1] = OSSL_PARAM_construct_uint("qbits", &qbits);
|
|
\& params[2] = OSSL_PARAM_construct_int("gindex", &gindex);
|
|
\& params[3] = OSSL_PARAM_construct_utf8_string("type", "fips186_4", 0);
|
|
\& params[4] = OSSL_PARAM_construct_utf8_string("digest", "SHA256", 0);
|
|
\& params[5] = OSSL_PARAM_construct_end();
|
|
\& EVP_PKEY_CTX_set_params(pctx, params);
|
|
\&
|
|
\& EVP_PKEY_generate(pctx, ¶m_key);
|
|
\&
|
|
\& EVP_PKEY_print_params(bio_out, param_key, 0, NULL);
|
|
\& ...
|
|
\& EVP_PKEY_free(param_key);
|
|
\& EVP_PKEY_CTX_free(pctx);
|
|
.Ve
|
|
.PP
|
|
A \fB\s-1DH\s0\fR key can be generated using domain parameters by calling:
|
|
.PP
|
|
.Vb 2
|
|
\& EVP_PKEY *key = NULL;
|
|
\& EVP_PKEY_CTX *gctx = EVP_PKEY_CTX_new_from_pkey(NULL, param_key, NULL);
|
|
\&
|
|
\& EVP_PKEY_keygen_init(gctx);
|
|
\& EVP_PKEY_generate(gctx, &key);
|
|
\& EVP_PKEY_print_private(bio_out, key, 0, NULL);
|
|
\& ...
|
|
\& EVP_PKEY_free(key);
|
|
\& EVP_PKEY_CTX_free(gctx);
|
|
.Ve
|
|
.PP
|
|
To validate \fB\s-1FIPS186\-4\s0\fR \fB\s-1DHX\s0\fR domain parameters decoded from \fB\s-1PEM\s0\fR or
|
|
\&\fB\s-1DER\s0\fR data, additional values used during generation may be required to
|
|
be set into the key.
|
|
.PP
|
|
\&\fIEVP_PKEY_todata()\fR, \fIOSSL_PARAM_merge()\fR, and \fIEVP_PKEY_fromdata()\fR are useful
|
|
to add these parameters to the original key or domain parameters before
|
|
the actual validation. In production code the return values should be checked.
|
|
.PP
|
|
.Vb 11
|
|
\& EVP_PKEY *received_domp = ...; /* parameters received and decoded */
|
|
\& unsigned char *seed = ...; /* and additional parameters received */
|
|
\& size_t seedlen = ...; /* by other means, required */
|
|
\& int gindex = ...; /* for the validation */
|
|
\& int pcounter = ...;
|
|
\& int hindex = ...;
|
|
\& OSSL_PARAM extra_params[4];
|
|
\& OSSL_PARAM *domain_params = NULL;
|
|
\& OSSL_PARAM *merged_params = NULL;
|
|
\& EVP_PKEY_CTX *ctx = NULL, *validate_ctx = NULL;
|
|
\& EVP_PKEY *complete_domp = NULL;
|
|
\&
|
|
\& EVP_PKEY_todata(received_domp, OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
|
|
\& &domain_params);
|
|
\& extra_params[0] = OSSL_PARAM_construct_octet_string("seed", seed, seedlen);
|
|
\& /*
|
|
\& * NOTE: For unverifiable g use "hindex" instead of "gindex"
|
|
\& * extra_params[1] = OSSL_PARAM_construct_int("hindex", &hindex);
|
|
\& */
|
|
\& extra_params[1] = OSSL_PARAM_construct_int("gindex", &gindex);
|
|
\& extra_params[2] = OSSL_PARAM_construct_int("pcounter", &pcounter);
|
|
\& extra_params[3] = OSSL_PARAM_construct_end();
|
|
\& merged_params = OSSL_PARAM_merge(domain_params, extra_params);
|
|
\&
|
|
\& ctx = EVP_PKEY_CTX_new_from_name(NULL, "DHX", NULL);
|
|
\& EVP_PKEY_fromdata_init(ctx);
|
|
\& EVP_PKEY_fromdata(ctx, &complete_domp, OSSL_KEYMGMT_SELECT_ALL,
|
|
\& merged_params);
|
|
\&
|
|
\& validate_ctx = EVP_PKEY_CTX_new_from_pkey(NULL, complete_domp, NULL);
|
|
\& if (EVP_PKEY_param_check(validate_ctx) > 0)
|
|
\& /* validation_passed(); */
|
|
\& else
|
|
\& /* validation_failed(); */
|
|
\&
|
|
\& OSSL_PARAM_free(domain_params);
|
|
\& OSSL_PARAM_free(merged_params);
|
|
\& EVP_PKEY_CTX_free(ctx);
|
|
\& EVP_PKEY_CTX_free(validate_ctx);
|
|
\& EVP_PKEY_free(complete_domp);
|
|
.Ve
|
|
.SH "CONFORMING TO"
|
|
.IX Header "CONFORMING TO"
|
|
.IP "\s-1RFC 7919 \s0(\s-1TLS\s0 ffdhe named safe prime groups)" 4
|
|
.IX Item "RFC 7919 (TLS ffdhe named safe prime groups)"
|
|
.PD 0
|
|
.IP "\s-1RFC 3526 \s0(\s-1IKE\s0 modp named safe prime groups)" 4
|
|
.IX Item "RFC 3526 (IKE modp named safe prime groups)"
|
|
.ie n .IP "\s-1RFC 5114 \s0(Additional \s-1DH\s0 named groups for dh_1024_160"", ""dh_2048_224"" and ""dh_2048_256"")." 4
|
|
.el .IP "\s-1RFC 5114 \s0(Additional \s-1DH\s0 named groups for dh_1024_160``, ''dh_2048_224`` and ''dh_2048_256"")." 4
|
|
.IX Item "RFC 5114 (Additional DH named groups for dh_1024_160, dh_2048_224 and dh_2048_256"")."
|
|
.PD
|
|
.PP
|
|
The following sections of SP800\-56Ar3:
|
|
.IP "5.5.1.1 \s-1FFC\s0 Domain Parameter Selection/Generation" 4
|
|
.IX Item "5.5.1.1 FFC Domain Parameter Selection/Generation"
|
|
.PD 0
|
|
.IP "Appendix D: \s-1FFC\s0 Safe-prime Groups" 4
|
|
.IX Item "Appendix D: FFC Safe-prime Groups"
|
|
.PD
|
|
.PP
|
|
The following sections of \s-1FIPS186\-4:\s0
|
|
.IP "A.1.1.2 Generation of Probable Primes p and q Using an Approved Hash Function." 4
|
|
.IX Item "A.1.1.2 Generation of Probable Primes p and q Using an Approved Hash Function."
|
|
.PD 0
|
|
.IP "A.2.3 Generation of canonical generator g." 4
|
|
.IX Item "A.2.3 Generation of canonical generator g."
|
|
.IP "A.2.1 Unverifiable Generation of the Generator g." 4
|
|
.IX Item "A.2.1 Unverifiable Generation of the Generator g."
|
|
.PD
|
|
.SH "SEE ALSO"
|
|
.IX Header "SEE ALSO"
|
|
\&\s-1\fIEVP_PKEY\-FFC\s0\fR\|(7),
|
|
\&\s-1\fIEVP_KEYEXCH\-DH\s0\fR\|(7)
|
|
\&\s-1\fIEVP_PKEY\s0\fR\|(3),
|
|
\&\fIprovider\-keymgmt\fR\|(7),
|
|
\&\s-1\fIEVP_KEYMGMT\s0\fR\|(3),
|
|
\&\fIOSSL_PROVIDER\-default\fR\|(7),
|
|
\&\s-1\fIOSSL_PROVIDER\-FIPS\s0\fR\|(7)
|
|
.SH "COPYRIGHT"
|
|
.IX Header "COPYRIGHT"
|
|
Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|
.PP
|
|
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file \s-1LICENSE\s0 in the source distribution or at
|
|
<https://www.openssl.org/source/license.html>.
|